Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: stopping bots from phoning home

From: Kevin <kkadow () gmail com>
Date: Wed, 7 Sep 2005 23:43:56 -0500
On 9/7/05, mason () schmitt ca <mason () schmitt ca> wrote:

We take this a step further -- let all traffic that hits the blocks talk
to a "sandbox" minimal IRCd, and if the traffic looks like bot chatter,
quarantine the source host.


Do you use bopm or something like that on your sandbox ircd?


We just run a very basic IRCd, modified to generate a log event for
each PRIVMSG, JOIN, NICK and other similar command issued by
any client.  We can also look at the original destination IP they
addressed, and check this against a list of known C&C channels.

My customer base is very sensitive about even giving the
impression of "port scanning", so we have to learn as much as we
can from the sessions they initiate towards our infrastructure.



I'm not sure that an explicit proxy solution will fly in a public ISP,
customers just are not going to be comfortable with having to jump
through hoops when they're used to just being able to click on the
"live chat" button on their brokerage or Invader Zim webboard and go
right into a conversation.  Most of the time the user doesn't even know
they are using IRC!


I'm somewhat sceptical that some "live chat" buttons actually invoke IRC.
Or Invader Zim webboard for that matter ;)  Are you sure?  Can you give me
a real example?


The first "real" user who complained had clicked through from JDate,
and suddenly found himself chatting with 37 instances of SDBot...

As for Invader Zim, see http://www.badbadrubberpiggy.com/chat.php/


Kevin Kadow
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: